How to Make a Secure Password

Come up with a passphrase. So, you know the rules—at least 12 characters, and a different password for every site and service. But how can you come up with dozens of unique passwords you can actually remember? Well, one way is to come up with a 5-word phrase that's difficult to guess, string the words together (plus a number and special character), and add the name (or a few letters from) the site or service you're signing in to. An easy way to come up with a random 5-word phrase to start with is to use Diceware.^[3] Here's how:

• Download the Diceware list from https://theworld.com/~reinhold/diceware.wordlist.asc. If it doesn't open up automatically in your web browser, just save it to your computer, and then right-click the downloaded file, select Open with, and choose Notepad (PC) or TextEdit (Mac).
• Grab a sheet of paper, a pen, and a die. If you don't have any dice laying around, check out https://freeonlinedice.com.
• Roll the die and write down the number. Do this 5 times so you have a 5-digit number (e.g., 26231).
• Open the Diceware list and find the word that corresponds with your number. In this case, the word is forgot.
• Do this 5 more times until you have 5 complete words.
• Combine the words to create a password. Be sure to adjust the phrase so it includes at least one number, one special character, and one capital letter. For example, let's say our 5 words are forgot gator sun kafka sash julep. You could try something like this for an ultra-secure password: 50Forgot-Gator-Sun-Kafka-Sash-Julep
• You shouldn't reuse this password on other sites, but you can use a variation of it, if you're careful! One idea is to take the last 2 letters from the website or service you're signing in to—for example, ok for Facebook, and er for Twitter—and add it to the password. This way your password for Facebook could be 50Forgot-Gator-Sun-Kafka-Sash-JulepOK, while your Twitter password could be 50Forgot-Gator-Sun-Kafka-Sash-JulepER. Although if someone got a hold of your Facebook password, they may be able to guess that the "OK" came from the last two letters of Facebook and use that logic to crack your Twitter password—rare, but possible. The point is, come up with a scheme to add to the same string of 5 words that makes it unique to the site, and thus easy to remember your password.

Use an abbreviation or clever acronym that nobody would guess. Think of a line in a song, poem, or saying that you like that's about 10 words long—it can be fewer words than that, but you'll need to add more characters. Then, take the first letter of each word in the line and string them together. Now, add at least one number and one special symbol, and then make one of the characters a capital letter.

• For example, let's say you've come up with the line from Rihanna's "Umbrella" that goes "You have my heart and we'll never be worlds apart." If you take just the first letter of each word from that line, you'll have yhmyawnbwa, which is 10 characters. We can now make it 12 characters by adding YHMHawnbwa2!. Not so bad to remember!
• Now try adding some variation of the site or service you're using the password for. For example, if it's your Facebook password, you could make the password YHMHawnbwa2!FA (FA being the first two letters of Facebook).
• Although we still don't recommend you reuse the password as-is, you can now come up with an easy-to-remember variation for your Twitter account, which could be !TWYHMHawnbwa2. Notice how the TW, the first two letters of Twitter, is at the beginning instead of the phrase this time—this is an extra precaution just in case someone gets a hold of your Facebook password and tries to use it to sign in to Twitter.

Try a password generator. A password generator is a website that comes up with a password for based on certain criteria. While these sites can create very secure passwords, they won't be the easiest to remember. But if you're using a password manager, or can come up with a clever acronym that can jog your memory, a password generator can be very valuable.

• The LastPass password generator tool lets you choose the number of characters and whether to include certain characters.

Use a password manager. If you're still feeling daunted by the idea of remembering lots of passwords, you're in luck. Password managers work by saving all of your logins and passwords in one encrypted location. Your passwords are then protected by a single master password, which would be the only password you'd need to memorize. You'd then install the password manager on all of your devices—phones, tablets, and computers—so you can always log in to the sites and services you need.

• Another bonus of password managers is that they can help you create super secure passwords for every site without you having to come up with them on your own.
• Password managers usually have free options, but have more robust features that require subscriptions.

Always enable two-factor authentication (2FA). In addition to having a unique password on every site and service, you'll need 2FA to reach peak security. When you enable 2FA for an account, you'll have to complete an additional step before you'll be able to access your account. The way it works on most sites is that after your password is authenticated, you'll receive a verification code via email, SMS, or in an authenticator app. Once you have your special code, you'll enter it into a field to complete the sign-in. This means that even if someone cracks your password, they'd need access to your texts, email, or authentication app to actually gain access to your account.

• Nearly every major social media site, email provider, and banking website offer 2FA as an option.

Avoid writing down your exact password. Let's be real—it's hard to remember multiple 12+ character passwords, and no matter how many times you read "don't write down your passwords," there may be times when it seems like there's no choice. However, if you do write down your passwords, avoid writing them down exactly as you type them. Instead, write down a hint or riddle that will help you remember it.^[4]

• For example, let's say your password is S!impson90Bart because you love Bart Simpson and you started watching the show in 1990. Rather than write it down exactly, you could write "My favorite character and year the show began." All you'd really need to remember is the position of the exclamation point and the year.

Do not share your passwords. Never send your password to anybody else by email, text message, direct message, or any other means of communication without an extremely-compelling reason. Something important to remember is that no technical support representative from any service should ever need your personal password to help you resolve issues—if you ever receive a phone call from someone who claims to need your password to resolve a problem, do not provide it to them.

• It's also important to avoid storing a copy of your password(s) on your computer, phone, or tablet. If a hacker gets a hold of your device, they'll have access to all of your accounts.